Embed Size (px)
DESCRIPTION
This presentation covers virtualization and private cloud security
Citation preview
Welcome
Kevin Wharram, CISSP, CISM, CEH, EnCE, GCFA, 27001 Lead Auditor
Member of the ISACA Security Advisory Group at ISACA London Chapter
My interests are in – Forensics, Virtualization and Cloud Security
2
3
What is Virtualization? Server Virtualization Analogy Virtualization Security Virtualization Compliance What is Cloud Computing? What is a Private Cloud? Private Cloud Security
Agenda
3
What is Virtualization?
Virtualization is the creation of a virtual (rather than actual) version of something, such as an operating system (OS), a server, a storage device or network resource.Source - http://en.wikipedia.org/wiki/Virtualization
4
What is Virtualization cont.
Virtualization presents hardware resources as virtual resources:•CPU•Memory•Storage (Disk)•Network Interface (NIC)
5
• Not a new concept• First developed in the 1960s and was
better known as time-sharing• IBM developed the idea of a Virtual
Machine Monitor (VMM) which is also know as a Hypervisor
History of Virtualization
6
• Server Virtualization• Desktop Virtualization or (VDI)• Application Virtualization• Network Virtualization• Storage Virtualization
Types of Virtualization
7
Server Virtualization
8
What is Server Virtualization?• Encapsulate OS and present “virtual
hardware”• Run many OS on single hardware platform• Consolidate underutilized servers• VMware (vSphere), Microsoft (Hyper-V),
Citrix (XenServer) and Solaris Containers
9
Server Virtualization Analogy
HotelVSHoliday Home
10
Copyright © 2004 VMware, Inc. All rights reserved.
Traditional Server
Server without Virtualization
Holiday Home
11
Virtualized Server Hotel
Server with Virtualization
12
Desktop Virtualization
13
What is Desktop Virtualization?
• Desktop virtualization separates a personal computer desktop environment from a physical machine using a client–server model of computing
• Desktop virtualization is sometimes referred to as Virtual Desktop Infrastructure (VDI)
14
What is Desktop Virtualization cont.
• Remote Desktop (RDS) is different to VDI
• With (RDS), all users are sharing the same OS. With VDI, each user has their own real OS (could be dedicated or from a pool)
• VMware View, Citrix (XenDesktop) and Kaviza
15
Application Virtualization
16
What is Application Virtualization?
• Encapsulate applications (run conflicting applications on same system, i.e. IE 7 and IE8)
• Avoid apps corrupting (OS)
• Application delivery (Stream, ESD, Other)
• VMware (ThinApp), Microsoft (App-V) and Citrix ( XenApp)
17
Network Virtualization
18
What is Network Virtualization?• Network virtualization is a method used to
combine computer network resources into a single platform, known as a virtual network
• Not a new concept• Virtual private networks (VPNs) are widely
used • Virtual Local Area Networks (VLANs) are a
form of network virtualization
19
Physical Network
20
VMware Virtual Network
21
Storage Virtualization
22
What is Storage Virtualization?• Storage virtualization is the amalgamation
of multiple network storage devices into what appears to be a single storage unit. Storage virtualization is often used in SAN (storage area networks).
Source http://www.webopedia.com/TERM/S/storage_virtualization.html
23
Virtualization Security
24
ESG Research indicates that security professionals lack virtualization knowledge and best practice models for server virtualization security.
Gartner survey: “40% of virtualization deployment projects were undertaken without involving the information security team in the initial architecture and planning stages.”
Gartner analyst Neil MacDonald wrote: “Virtualization is not inherently insecure. However, most virtualized workloads are being deployed insecurely.“
25
Industry Comments
Virtualization Security Benefits
• Patching
• Disaster Recovery
• Investigation
• Forensics
26
Virtualization Security Issues
• Virtual environment misconfiguration
• Processes
• Lack of Controls
• Access Controls
• Software Vulnerabilities
• Malware
27
VMware vSphere Security
• vCenter
• Networking, vSwitches, Cisco Nexus 1000v, vLANs
• Storage• Logging
• Monitoring
28
Virtualization Compliance
29
Compliance Issues
• New technologies introduce new components and processes causing conflict with standards and policies
• Internal policies and standards need to be updated to reflect virtualization technology
• Industry standards, PCI DSS, HIPA, etc, sometimes lag technology
30
Controls
Policies & Compliance
Processes&
Standards
Compliance Pyramid
31
Cloud Computing
32
What is Cloud Computing?
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.Source - http://www.nist.gov/itl/cloud/index.cfm
33
• Private cloud• Public cloud• Community cloud• Hybrid cloud
Types of Cloud Computing
34
What is a Private Cloud?
• Operated solely for an organization
• May be managed by the organization or a third party
• May exist on-premise or off-premise
35
Private Cloud Security
Most of the virtualization controls that we spoke about earlier, would apply to the Private Cloud as you control the “Private Cloud.”
36
Controls
OrganisationDue-Diligence
Processes&
Standards
Compliance Pyramid
37
ResourcesNIST guide to Security for Full Virtualization Technologieshttp://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf
VMware hardening guides http://blogs.vmware.com/security/2010/04/vsphere-40-hardening-guide-released.html
Cloud Security Alliancehttp://www.cloudsecurityalliance.org/
NIST Definition of Cloud Computing http://www.nist.gov/itl/cloud/index.cfm
Center for Internet Security (CIS) Benchmarks on Server Virtualizationhttp://cisecurity.org/en-us/?route=downloads.benchmarks
Defense Information System Agency (DISA)http://iase.disa.mil/stigs/index.html
38
